Google Analytics 4 and GDPR cookies: the compliance guide

TL;DR

Google Analytics 4 (GA4) places cookies (_ga, _ga_XXXXXX, _gid) that allow Google to track visitors and their behaviour. Under the GDPR, using GA4 requires prior consent for analytics cookies. Failing to block GA4 before consent creates a compliance risk, as confirmed by the CNIL and several European data protection authorities.

Google Analytics is the world's most widely used analytics tool. But since 2022, when several European DPAs issued decisions on Universal Analytics, its successor GA4 has been under close regulatory scrutiny. How do you use GA4 compliantly? This guide answers that question.

This guide covers the cookies GA4 places, the applicable regulatory framework, how to gate GA4 on consent via a CMP, and the most common mistakes.

Which cookies does GA4 place and what data does it collect?

GA4 places cookies in the visitor's browser to identify and track sessions. These cookies allow Google to aggregate behavioural data (page views, session duration, events) and link them to a persistent visitor identifier.

GA4's main cookies

1. _ga: unique visitor identifier, valid for 2 years by default, placed on your domain
2. _ga_XXXXXX (where XXXXXX is your Measurement ID): GA4 session cookie, valid for 2 years
3. _gid: session identifier, valid for 24 hours
4. _gat_UA-XXXXXX: request throttling cookie (if present), valid for 1 minute

GA4 collects: visited URLs, interaction events (clicks, scrolls, forms), performance data, approximate geolocation, and device and browser information. This data is sent to Google's servers, some of which are located in the United States.

GA4 and cross-border data transfers

Data transfers to Google's US servers were a central concern in the 2022 European DPA decisions on Universal Analytics. Since the adoption of the EU-US Data Privacy Framework (DPF) in 2023, Google has been certified under this framework, which regularises transatlantic transfers. However, the obligation to collect prior consent for analytics cookies remains fully in force and is independent of the transfer question.

See our guide on cookie expiry and GDPR rules for the retention rules that apply to _ga cookies.

Does GA4 require consent under the GDPR?

Yes. GA4 places persistent cookies for analytics purposes that are not strictly necessary for the service requested. The ePrivacy Directive and GDPR require prior consent for such trackers. There is no blanket exemption for audience analytics tools.

The 2022 regulatory context

In 2022, several European DPAs ruled that the use of Google Analytics (Universal Analytics) created data transfers to the United States that were not GDPR-compliant under the technical conditions of the time. These decisions did not prohibit GA, but they highlighted the compliance imperative: prior consent, correct configuration, and transfer assessment.

What the ICO and EDPB say about GA4

The ICO and EDPB guidance makes clear that analytics tools that transfer data outside the EEA require careful assessment. Prior consent must be collected before GA4 fires. Configuration steps such as IP anonymisation (enabled by default in GA4), disabling Google Signals and reducing data retention are important but do not replace the consent requirement.

Before configuring GA4 under consent, run a complete cookie audit to identify all active trackers on your site.

How to gate GA4 on consent

The recommended approach is to use Google Consent Mode v2 combined with a compliant CMP. This allows GA4 to operate in a degraded mode (without cookies) before consent, then load full data after acceptance.

Google Consent Mode v2 and GA4

Google Consent Mode v2 passes the user's consent state to GA4 via two key parameters: analytics_storage (for analytics cookies) and ad_storage (for advertising cookies). Before consent, GA4 operates without cookies and collects aggregated, anonymised data. After acceptance, full cookies are placed.

Our full guide on Google Consent Mode v2 covers the detailed technical setup.

Recommended GA4 configuration for compliance

1. Enable Google Consent Mode v2 via your CMP before GA4 loads
2. Set analytics_storage = 'denied' and ad_storage = 'denied' by default in the dataLayer
3. Disable Google Signals in GA4 settings if your audience is primarily European
4. Reduce data retention to 14 months (the shortest option in GA4)
5. Verify that IP anonymisation is active (default in GA4, but confirm it has not been disabled)
6. Do not enable ad personalisation (disable Google Ads Personalisation)

Common mistakes with GA4 and the GDPR

GA4 is loaded in the <head> without a condition. The script and cookies fire on page load, before the banner. Fix: use GTM with Consent Mode v2, or block the script via the CMP.

The analytics consent exemption is invoked. Some DPAs recognise a limited exemption for first-party audience measurement tools under strict conditions, but GA4 in its standard configuration does not meet those criteria. It sends data to Google and cannot be considered an internal measurement tool.

IP anonymisation is presented as sufficient to avoid consent. Partial IP anonymisation does not exempt GA4's persistent cookies from the consent requirement. These are separate issues.

Google Signals is active without specific disclosure. Google Signals enables cross-device remarketing and audience measurement. It processes additional data and requires specific disclosure and consent. Disable it if you do not use it.

Data retention is left at 26 months (the default). Reduce it to 14 months in GA4 settings (Admin > Data Settings > Data Retention) to respect the data minimisation principle.

Consent Mode v2 is implemented in 'basic' mode without understanding the difference. Basic mode does not load GA4 at all before consent. Advanced mode lets GA4 run in a degraded mode and model conversions. Choose according to your needs, but understand the trade-offs.

GA4 and GDPR compliance checklist

1. Block the GA4 or GTM script by default via your CMP
2. Implement Google Consent Mode v2 with analytics_storage and ad_storage set to 'denied' by default
3. Verify that GA4 places no _ga cookie before acceptance (test in private browsing)
4. Reduce data retention to 14 months in GA4 settings
5. Disable Google Signals if you do not use cross-device remarketing
6. Do not enable Google Ads Personalisation
7. Mention GA4 and Google Ireland Ltd in your privacy policy
8. Document the data transfer to the US and DPF coverage
9. Verify consent is required before any GA4 event (PageView, click, etc.)
10. Document the processing in your GDPR Article 30 record

Conclusion

GA4 can be used in a GDPR-compliant way, provided you collect prior consent and correctly configure Google Consent Mode v2. The CMP plus Consent Mode v2 combination lets you retain analytics data while respecting your visitors' choices.

Scan your site to verify that _ga cookies do not fire before consent with the FlowConsent cookie scanner.